Questions about using SSL

brgdotnet used Ask the Experts™
I have some questions about SSL.
1)If I use SSL for my Website, does that also mean that I will also be using "https" instead of "http"?
 2)What are the risk of using my own created SSL certificate, rather than paying a provider like Verisign?
3) When an application user logs in using SSL is the server side username and password encrypted?
4) Why don't all software shops use SSL as it seems to be the most secure method for username and password authentication?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
1. Yes you will be using https when using SSL. Infact HTTPS is  HTTP over SSL
2. Your certificated is just like you issuing SSN or your passport to your self. Who will take responsibility that you are authentic party.
3. Every communication in ssl is encrypted, that is what ssl is for.
4. Because SSL is not cheap, it comes with cost, more reliable is provider more is the cost.

Hope i cleared it.
Michael FowlerSolutions Consultant
1/ Yes, although you can allow http as well as https if desired
2/ Modern browsers will display an error page when you access a page using a self signed certificate in addition they introduce a number of security issues
3/ SSL encrypts the data being sent between the client and server machines. Once the data reaches the receiving machine it is decrypted for use. So effectively usernames and passwords are only encrypted in transit
4/ SSL adds a layer of complexity and  cost and in some cases the overhead of SSL could slow response times. The question to ask your self is, what is likelyhood and impact of a hacker accessing the secure section of your site and then make a call if the added expense is worth it
1)  Yes
2)  If you don't protect the Certificate Authority server, e.g., with a firewall, an antivirus application, maybe an IDS, the added security isn't as good.  Verisign certificates are secure.  To mitigate the risk, put the CA behind a firewall (quite secure), in the DMZ (somewhat secure), make sure it is a Linux/Unix server, or Windows server with an antivirus.
3)  SSL authentication can be done with no usernames and no passwords.  SSL does support encryption however.
4)  Good question.  They should.  For certain matters like subscribing to newsletters, the threats and risks aren't substantial.  I think that more websites should support encryption etc.  Many people use email in ways that they shouldn't.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial